fix(cortex-update): address security vulnerabilities

- Remove blanket warning suppression in lib.rs
- Add SAFETY comment for unsafe MoveFileExW call in install.rs
- Add path traversal protection in extract_tar_gz and extract_zip
- Use cryptographically secure random bytes (getrandom) for temp dir
- Add HTTPS URL validation with localhost exception for dev
- Log warning when config parsing fails

Author: echobt

src/cortex-update/Cargo.toml

@@ -39,6 +39,9 @@ flate2 = "1.0"
 zip = "2.2"
 tar = "0.4"
 
+# Secure random
+getrandom = "0.2"
+
 # Self-replacement
 self-replace = "1.5"
 

src/cortex-update/src/api.rs

@@ -95,6 +95,18 @@ impl CortexSoftwareClient {
 
     /// Create a new client with a custom URL.
     pub fn with_url(base_url: String) -> Self {
+        // Validate URL uses HTTPS for security (allow http for localhost development only)
+        let url_lower = base_url.to_lowercase();
+        if !url_lower.starts_with("https://")
+            && !url_lower.starts_with("http://localhost")
+            && !url_lower.starts_with("http://127.0.0.1")
+        {
+            tracing::warn!(
+                "Custom update URL does not use HTTPS. This could allow man-in-the-middle attacks: {}",
+                base_url
+            );
+        }
+
         let client = create_client_builder()
             .build()
             .unwrap_or_else(|_| Client::new());

src/cortex-update/src/config.rs

@@ -108,8 +108,15 @@ impl UpdateConfig {
 
         if let Some(path) = config_path {
             if let Ok(content) = std::fs::read_to_string(&path) {
-                if let Ok(config) = serde_json::from_str(&content) {
-                    return config;
+                match serde_json::from_str(&content) {
+                    Ok(config) => return config,
+                    Err(e) => {
+                        tracing::warn!(
+                            "Failed to parse update config at {}: {}. Using defaults.",
+                            path.display(),
+                            e
+                        );
+                    }
                 }
             }
         }

src/cortex-update/src/download.rs

@@ -63,16 +63,13 @@ impl Downloader {
     /// Uses a randomly-named subdirectory to prevent symlink attacks and
     /// predictable file name exploits.
     pub fn new(client: CortexSoftwareClient) -> UpdateResult<Self> {
-        // Use a random suffix to prevent predictable temp directory names
-        // This mitigates symlink attacks where an attacker pre-creates
-        // files with expected names
-        let random_suffix: u64 = std::time::SystemTime::now()
-            .duration_since(std::time::UNIX_EPOCH)
-            .map(|d| d.as_nanos() as u64)
-            .unwrap_or(0)
-            ^ std::process::id() as u64;
-
-        let temp_dir = std::env::temp_dir().join(format!("cortex-update-{:x}", random_suffix));
+        // Use cryptographically secure random bytes to prevent predictable temp directory names
+        // This mitigates symlink attacks where an attacker pre-creates files with expected names
+        let mut random_bytes = [0u8; 8];
+        getrandom::getrandom(&mut random_bytes).map_err(|_| UpdateError::TempDirFailed)?;
+        let random_suffix = u64::from_ne_bytes(random_bytes);
+
+        let temp_dir = std::env::temp_dir().join(format!("cortex-update-{:016x}", random_suffix));
 
         // Create with restrictive permissions on Unix
         #[cfg(unix)]

src/cortex-update/src/install.rs

@@ -120,12 +120,39 @@ impl Installer {
     }
 
     /// Extract a tar.gz archive.
-    async fn extract_tar_gz(&self, archive: &Path, dest: &Path) -> UpdateResult<PathBuf> {
+    async fn extract_tar_gz(&self, archive_path: &Path, dest: &Path) -> UpdateResult<PathBuf> {
         use flate2::read::GzDecoder;
         use std::fs::File;
         use tar::Archive;
 
-        let file = File::open(archive)?;
+        let file = File::open(archive_path)?;
+        let gz = GzDecoder::new(file);
+        let mut archive = Archive::new(gz);
+
+        // Validate paths before extraction to prevent path traversal attacks
+        for entry in archive.entries().map_err(|e| UpdateError::ExtractionFailed {
+            message: e.to_string(),
+        })? {
+            let entry = entry.map_err(|e| UpdateError::ExtractionFailed {
+                message: e.to_string(),
+            })?;
+            let path = entry.path().map_err(|e| UpdateError::ExtractionFailed {
+                message: e.to_string(),
+            })?;
+
+            // Check for path traversal
+            if path
+                .components()
+                .any(|c| matches!(c, std::path::Component::ParentDir))
+            {
+                return Err(UpdateError::ExtractionFailed {
+                    message: format!("Path traversal detected in archive: {}", path.display()),
+                });
+            }
+        }
+
+        // Re-open and extract after validation
+        let file = File::open(archive_path)?;
         let gz = GzDecoder::new(file);
         let mut archive = Archive::new(gz);
 
@@ -139,8 +166,35 @@ impl Installer {
     }
 
     /// Extract a zip archive.
-    async fn extract_zip(&self, archive: &Path, dest: &Path) -> UpdateResult<PathBuf> {
-        let file = std::fs::File::open(archive)?;
+    async fn extract_zip(&self, archive_path: &Path, dest: &Path) -> UpdateResult<PathBuf> {
+        let file = std::fs::File::open(archive_path)?;
+        let mut archive =
+            zip::ZipArchive::new(file).map_err(|e| UpdateError::ExtractionFailed {
+                message: e.to_string(),
+            })?;
+
+        // Validate all paths before extraction to prevent path traversal attacks
+        for i in 0..archive.len() {
+            let file = archive
+                .by_index(i)
+                .map_err(|e| UpdateError::ExtractionFailed {
+                    message: e.to_string(),
+                })?;
+            let path = std::path::Path::new(file.name());
+
+            // Check for path traversal
+            if path
+                .components()
+                .any(|c| matches!(c, std::path::Component::ParentDir))
+            {
+                return Err(UpdateError::ExtractionFailed {
+                    message: format!("Path traversal detected in archive: {}", file.name()),
+                });
+            }
+        }
+
+        // Re-open and extract after validation
+        let file = std::fs::File::open(archive_path)?;
         let mut archive =
             zip::ZipArchive::new(file).map_err(|e| UpdateError::ExtractionFailed {
                 message: e.to_string(),
@@ -244,6 +298,11 @@ impl Installer {
         const MOVEFILE_REPLACE_EXISTING: u32 = 0x1;
         const MOVEFILE_DELAY_UNTIL_REBOOT: u32 = 0x4;
 
+        // SAFETY: MoveFileExW is a Windows API function that schedules a file move/rename
+        // operation to occur at the next system restart. We pass valid null-terminated
+        // wide strings for source and destination paths. The MOVEFILE_DELAY_UNTIL_REBOOT
+        // flag ensures this is a deferred operation. The return value of 0 indicates failure,
+        // in which case we retrieve the error via last_os_error().
         let result = unsafe {
             windows_sys::Win32::Storage::FileSystem::MoveFileExW(
                 old_path.as_ptr(),

src/cortex-update/src/lib.rs

@@ -1,4 +1,3 @@
-#![allow(warnings, clippy::all)]
 //! Cortex Update - Auto-update system for Cortex CLI
 //!
 //! Provides automatic update checking and installation via:
@@ -36,6 +35,7 @@ mod version;
 
 pub use api::{CortexSoftwareClient, ReleaseAsset, ReleaseInfo};
 pub use config::{ReleaseChannel, UpdateConfig, UpdateMode};
+pub use download::DownloadProgress;
 pub use error::{UpdateError, UpdateResult};
 pub use install::DownloadedUpdate;
 pub use manager::{UpdateInfo, UpdateManager, UpdateOutcome};